feat: added permission system configuration docs (#452)

# Description

Added sections to describe configuration options for Prividiums

Author: yuliyaalexiev

content/10.zk-stack/00.index.md

@@ -1,6 +1,6 @@
 ---
 title: Overview
-description: This section provides an overview of the ZK Stack as a key tool to launch and operate ZKsync chains.
+description: This section provides an overview of the ZK Stack as a key tool to launch and operate ZKsync chains
 ---
 
 ZK Stack is a developer friendly modular framework that makes it easy for you to customize & deploy your own interoperable ZK-powered blockchains.

content/10.zk-stack/35.prividium/00.index.md

@@ -2,7 +2,6 @@
 title: Overview
 description: Learn about ZKsync Prividium.
 ---
-
 ZKsync Prividium lets institutions operate a **private**, permissioned blockchain within their own infrastructure or cloud,
 while still **anchoring every transaction to Ethereum** for security and finality.
 
@@ -16,47 +15,67 @@ This design solves a core challenge in enterprise blockchain adoption:
 ![ZKsync Prividium architecture diagram](/images/zk-stack/how-prividium-works.png)
 ::
 
+---
+
 ### Key Differentiators of ZKsync Prividium
 
 **Privacy with Control:**
 Transaction data remains offchain, so internal details such as trades and balances stay confidential.
 Each block is verified on Ethereum using zero-knowledge proofs.
-Chain operators can selectively disclose data to auditors or regulators without exposing the full ledger.
+Chain operators can selectively disclose specific data (for example, bytecode or token supply) to auditors or regulators without exposing the full ledger.
+
+**Role-Based Permissioning:**
+Prividium introduces a dynamic permissioning system managed through the **Admin Dashboard**, replacing static YAML files.
+Administrators can:
+
+- Add and manage users with Okta or crypto-native (SIWE) authentication
+- Create roles such as *Trader*, *Auditor*, or *Admin*
+- Assign permissions for contracts and functions directly in the UI
+- Configure selective disclosure for public endpoints
+
+Access control is enforced by the **Proxy RPC**, which validates user tokens against the **Permissions API** before any on-chain call is executed.
 
 **Built-in Compliance:**
-Role-based access controls, single sign-on integration, and support for KYC, KYB, and AML workflows are built in.
-Only authenticated and authorized users can interact with the chain, enabling policy enforcement from day one.
+Single sign-on with Okta, address-level identity binding, and fine-grained access policies are integrated out of the box.
+Only authenticated and authorized users can interact with the network, enabling compliance with KYC, KYB, and AML requirements from day one.
 
 **Ethereum Anchoring and Interoperability:**
 Each batch of transactions is finalized on Ethereum using a validity proof, ensuring tamper-proof integrity and trustless settlement.
 Assets and data can move between Ethereum and other public or private ZKsync Chains
-using native zero-knowledge-based bridges without relying on external custodians.
+using native zero-knowledge-based bridges without external custodians.
 
 **Scalability and Performance:**
-As a Validium chain, ZKsync Prividium stores state off-chain, enabling high throughput and low transaction costs.
-It supports latency-sensitive use cases like trading and payments without compromising on security.
+As a Validium chain, ZKsync Prividium stores state off-chain, achieving high throughput and low latency.
+It supports trading, payments, and settlement use cases that demand both privacy and speed.
+
+---
 
 ### What Data Is Public
 
-Only the state root hashes and zero-knowledge proofs are posted to Ethereum.
-No transaction inputs, addresses, or calldata are visible or inferable from public chain data.
+Only the **state roots** and **zero-knowledge proofs** are posted to Ethereum.
+No transaction inputs, addresses, or calldata are visible or inferable from public data.
 
-The only additional public data appears when interacting with non-private chains, such as deposits or withdrawals to Ethereum or other rollups.
-These interactions will be visible on the receiving chain.
+Selective disclosure can optionally expose verified metrics such as total and circulating token supply, or contract bytecode,
+through public read-only endpoints.
 
-All other transaction and state data remains inside the private chain database, accessible only to the operator.
+Interactions with public networks such as deposits or withdrawals remain visible on the receiving chain,
+but all other state data is kept private within the Prividium database.
 
 To learn more about data availability in the ZK Stack, visit the [Validium page](/zk-stack/customizations/validium).
 
+---
+
 ### How It Works
 
-ZKsync Prividium enforces privacy and access control at the API layer, using infrastructure built into the ZK Stack.
+ZKsync Prividium enforces privacy and access control using built-in infrastructure within the ZK Stack.
 
-- Access control is configured in a YAML file that defines which users or groups can call specific contracts and methods.
-- Users and applications connect through a Private RPC proxy, which enforces access policies on every request.
-- Authenticated users receive access tokens tied to their role, giving them a filtered view of the chain.
-- Full RPC and explorer access is restricted to chain operators and internal systems.
+- Users authenticate through **Okta SSO** or **Sign-in With Ethereum (SIWE)**.
+- All calls pass through the **Proxy RPC**, which checks the user’s token and permissions against the **Permissions API**.
+- Roles and permissions are defined in the **Admin Dashboard**, not static YAML files.
+- Access is controlled at the contract-function level, with optional restrictions based on function arguments.
+- Auditors and regulators can use **Selective Disclosure** to view approved on-chain data without accessing the private ledger.
+- Full RPC and explorer access remain restricted to chain operators and internal systems.
 
-The chain runs as a Validium. It executes transactions privately and stores state off-chain in a secure database.
-Each batch of transactions produces a zero-knowledge proof and a new state root that are submitted to Ethereum.
-This anchors the private chain to Ethereum, ensuring security and finality without exposing sensitive data.
+The chain runs as a Validium. It executes transactions privately and stores its state off-chain in a secure database.
+Each batch of transactions produces a zero-knowledge proof and a new state root submitted to Ethereum.
+This anchors the private chain to Ethereum, ensuring verifiable security and finality without revealing sensitive data.

content/10.zk-stack/35.prividium/02.features.md

@@ -15,7 +15,7 @@ Only cryptographic commitments—state roots and STARK-based proofs—are submit
 **Key capabilities:**
 
 - Keep all data inside your infrastructure (no transaction details on Ethereum)
-- Selectively mark contracts/methods as public, private, or role-gated via a policy file
+- Configure contract access policies through the Prividium Admin Dashboard, defining which functions are public, private, or role-restricted
 - Update access settings without redeploying contracts
 - Supply Merkle proofs or DB extracts for selective disclosure (e.g., audits, investigations)
 
@@ -28,18 +28,19 @@ Only cryptographic commitments—state roots and STARK-based proofs—are submit
 
 ## Fine-Grained Access Control
 
-All interactions with the chain are routed through a **Proxy RPC** that enforces access policies defined in a YAML configuration.
-
+All interactions with the chain are routed through a Proxy RPC that enforces access policies managed in the Prividium Permissioning System.
+Administrators configure roles, users, and permissions through the Admin Dashboard, which stores policies dynamically in the Permissions API.
 **Features:**
 
-- Wallet address whitelisting.
-- Define groups (e.g., traders, clients, auditors) and map them to specific methods and contracts
-- Unauthorized calls are blocked with HTTP 403 and logged for audit
-- Applies to all user calls, application traffic, explorer queries, and bridge operations
-- Authenticate users using corporate IdPs (Azure AD, Okta, Ping) via OIDC/SAML tokens - (coming soon)
+- Manage access using roles (e.g., Trader, Auditor, Admin) and assign them to users in the dashboard
+- Restrict contract functions by role, argument match, or both
+- Enforce access at the RPC layer; unauthorized calls return HTTP 403 and are logged for audit
+- Apply consistent access control across user calls, dApps, explorers, and bridges
+- Support for Okta and crypto-native Sign-in With Ethereum (SIWE) authentication
+- Configure and update permissions without redeploying contracts or editing files
 
 **Request Path:**
-Client → Proxy RPC → Sequencer RPC
+Client → Proxy RPC (permission validation) → Permissions API (policy check) → Sequencer RPC
 
 ## Compliance & Audit Support
 
@@ -50,7 +51,7 @@ Regulated entities require visibility, traceability, and selective access. ZKsyn
 - A private block explorer shows only what each user is authorized to view (gated via Proxy)
 - System logs from all core components are available for integration with enterprise logging and analytics tools
 - Chain operators can export inclusion proofs or filtered ledger views on-demand
-- Auditors can be granted scoped access without exposing unrelated user data
+- Auditors can be granted scoped roles through the Permissioning System, enabling view-only access without exposing unrelated data.
 
 ## Ethereum-Grade Finality
 
@@ -73,3 +74,10 @@ With shared settlement and ZK proofs, institutions can move assets securely and
 all without consortium agreements, third-party bridges, or compromises to customization.
 
 Daily operations remain private, but interoperability is opt-in and cryptographically verified.
+
+---
+
+### Next Step
+
+See [Configure Prividium](./config/authentication.md)
+for detailed steps on setting up authentication, users, roles, permissions, and selective disclosure.

content/10.zk-stack/35.prividium/05.architecture.md

@@ -3,40 +3,70 @@ title: Architecture Overview
 description: Understand how ZKsync Prividium works under the hood.
 ---
 
-ZKsync Prividium is built on a **permissioned Validium chain** enhanced with robust access control.
+ZKsync Prividium is built on a **permissioned Validium chain** with integrated, role-based access control.
 It runs a private instance of the ZKsync Chain, complete with its own sequencer and prover, inside an organization’s infrastructure or cloud.
-All transaction data and state are stored off-chain in a secure database, preserving confidentiality by design.
+All transaction data and state are stored off-chain in a secure database, ensuring privacy by design.
 
-A **Proxy RPC layer** acts as the system’s entry point. All interactions—whether from users, enterprise applications, block explorer queries,
-or bridge transactions—must go through this proxy. It enforces fine-grained access policies,
+A **Proxy RPC layer** serves as the single entry point to the network.
+All interactions — from users, enterprise applications, block explorers, or bridge operations — must pass through this proxy.
+It enforces fine-grained access rules using the **Prividium Permissioning System**,
 ensuring that only authenticated and authorized requests reach the chain.
-By separating the public interface from the internal blockchain components, ZKsync Prividium prevents unauthorized access and protects sensitive data.
+By separating the public interface from internal blockchain components, Prividium prevents unauthorized access and safeguards sensitive data.
 
-State updates are finalized on Ethereum via the **ZKsync Gateway**, which receives the ZKsync Prividium chain’s state roots and zero-knowledge proofs.
-This anchors the chain’s state to Ethereum, providing L1-grade security and enabling interoperability with other chains in the ZKsync ecosystem.
+State updates are finalized on Ethereum through the **ZKsync Gateway**, which receives the chain’s state roots and zero-knowledge proofs.
+This anchors the chain to Ethereum, providing L1-grade security and enabling interoperability with other ZKsync Chains.
 
-This architecture delivers privacy and control at the L2 level while inheriting security from Ethereum,
-making ZKsync Prividium well-suited for institutional use cases such as trading, payments, asset issuance, and compliance-sensitive workflows.
+This architecture delivers **privacy, compliance, and auditability** at the L2 level while inheriting the trust and finality of Ethereum,
+making ZKsync Prividium ideal for institutional use cases such as trading, settlement, asset issuance, and compliance-sensitive workflows.
 
 ::centered-container
 *Figure: High-level architecture of ZKsync Prividium.*
 ![ZKsync Prividium architecture diagram](/images/zk-stack/prividium-architecture.png)
 ::
 
+---
+
 ### Components
 
-Adding privacy to a ZKsync chain is possible by making changes
-to the RPC API and block explorer.
-The ZK Stack CLI provides a production-ready implementation
-of these changes for you, but they can be customized as needed.
-
-- [Access Controls](/zk-stack/prividium/permissioning): Fine-grained, role-based permissions ensure that only authorized personnel can
-view or interact with your private chain.
-- [Proxy RPC](/zk-stack/prividium/proxy) that filters requests based on the configured permissions. Authenticated JSON-RPC endpoints apply
-your internal access policies to every request, maintaining full control over data access and interactions
-- [Private Block Explorer](/zk-stack/prividium/explorer) with privacy protections enabled. This self-hosted interface gives authorized users
-visibility into transactions, blocks, and state without exposing sensitive data to the public
-- [Validium Chain](/zk-stack/customizations/validium): A dedicated ZKsync Chain deployed within your infrastructure.
-It includes a built-in sequencer and prover to handle transaction processing and proof generation privately.
-- [ZKsync Gateway](/zksync-protocol/gateway/overview): Receives ZK proofs from your permissioned chain and publishes commitments to Ethereum.
-This anchors integrity, ensures finality, and enables future interoperability.
+ZKsync Prividium extends the ZK Stack architecture with dedicated modules for privacy, governance, and access control.
+These components work together to provide secure, verifiable, and customizable network operations.
+
+- [**Permissioning System**](/zk-stack/prividium/permissions-overview):
+  A built-in role-based framework that manages **users**, **roles**, **permissions**, and **selective disclosure** through the **Admin Dashboard**.
+  Administrators define who can read or write to contracts and configure disclosure settings without modifying code or YAML files.
+
+- [**Proxy RPC**](/zk-stack/prividium/proxy):
+  The secure interface that filters every request based on the policies defined in the Permissioning System.
+  It validates user tokens issued via Okta or crypto-native (SIWE) login and enforces role and argument-level restrictions before forwarding to the sequencer.
+
+- [**Private Block Explorer**](/zk-stack/prividium/explorer):
+  A self-hosted explorer with access restrictions aligned to user roles.
+  It allows authorized participants to view transactions, blocks, and state data while protecting sensitive information from public exposure.
+
+- [**Validium Chain**](/zk-stack/customizations/validium):
+  A private ZKsync Chain deployed within your infrastructure.
+  It includes a dedicated sequencer and prover that execute transactions and generate zero-knowledge proofs locally.
+
+- [**ZKsync Gateway**](/zksync-protocol/gateway/overview):
+  Receives zero-knowledge proofs and publishes commitments to Ethereum.
+  This ensures data integrity, anchors the private chain to Ethereum, and enables future cross-chain interoperability.
+
+---
+
+### How Access Control Works
+
+1. Users authenticate via **Okta SSO** or **Sign-in With Ethereum (SIWE)** in the **User Dashboard**.
+2. The **Proxy RPC** forwards their request and token to the **Permissions API**.
+3. The **Permissions API** verifies the user’s identity, role, and function-level rules.
+4. Authorized requests are sent to the **Sequencer RPC**, which executes transactions privately.
+5. State updates are committed to Ethereum through the **ZKsync Gateway**.
+
+This design ensures that access control, compliance, and selective disclosure are built directly into the network stack,
+not managed through static configuration files.
+
+---
+
+### Next Step
+
+See [Configure Prividium](./config/authentication.md)
+for instructions on setting up authentication, users, roles, permissions, and selective disclosure.

content/10.zk-stack/35.prividium/10.run-prividium-chain.md

@@ -4,7 +4,7 @@ description: Get started running a local ZKsync Prividium chain with ZKsync Stac
 ---
 
 ::callout{icon="i-heroicons-light-bulb"}
-This guide is not yet updated to use the latest [Permissions API](/zk-stack/prividium/permissioning) or Atlas upgrade.
+This guide is not yet updated to use the latest [Permissions API](/zk-stack/prividium/permissions-overview) or Atlas upgrade.
 ::
 
 This guide shows you how to use the ZKsync Stack CLI to run local a ZKsync Prividium chain.

…k-stack/35.prividium/30.permissioning.md …/35.prividium/30.permissions-overview.mdcontent/10.zk-stack/35.prividium/30.permissioning.md renamed to content/10.zk-stack/35.prividium/30.permissions-overview.md content/10.zk-stack/35.prividium/30.permissioning.md renamed to content/10.zk-stack/35.prividium/30.permissions-overview.md

@@ -1,5 +1,5 @@
 ---
-title: Permissioning System
+title: Permissions Overview
 description: Learn about the Prividium Permissioning API and Selective Disclosure.
 ---